c7n-org cannot deploy policies in multiple account same error occurring #7458

misumme-pg · 2022-05-27T14:12:10Z

misumme-pg
May 27, 2022

Ask your question

I am trying to get custodian to do this ...

@kapilt I'm having the same problem deploying c7n-org policies; I'm trying to auto tag ec2 instances in the managed account once they are launch but I'm getting same error that is mentioned. Just for the testing purpose I even gave root account and managed account role full admin permission but still getting the same error. I'm not sure what is wrong with my permission

Policy

My managed acct trust policy is as followed

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::11111111:role/custodainrole",
"Service": [
"lambda.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}

Policy attach is [AWSLambdaExecute], [AWSConfigRulesExecutionRole], & EC2FullAccess. And inline policy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "lambda:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::root-account#:role/custodainrole"
        }
    ]
}

Relevant log/traceback output

running policy:cloud-custodian-auto-tag account:devops-account region:us-west-2 error:An error occurred (AccessDeniedException) when calling the CreateFunction operation: Cross-account pass role is not allowed.

Answered by misumme-pg

Jun 1, 2022

Permission

policies:

name: cloud-custodian-auto-tag
resource: ec2
mode:
type: cloudtrail
role: arn:aws:iam::account_id#:role/AmazonSSMRoleForInstancesQuickSetup
events:
- RunInstances
  tags:
  custodian-info: mode=cloudtrail:version=0.9.16
  filters:
- tag:CreatorName: absent
  actions:
- type: auto-tag-user
  tag: CreatorName
- type: tag
  key: backup
  value: weekly

Still getting error: I cannot get around this error even when starting from scratch

View full answer

misumme-pg · 2022-06-01T16:22:31Z

misumme-pg
Jun 1, 2022
Author

Permission

policies:

name: cloud-custodian-auto-tag
resource: ec2
mode:
type: cloudtrail
role: arn:aws:iam::account_id#:role/AmazonSSMRoleForInstancesQuickSetup
events:
- RunInstances
  tags:
  custodian-info: mode=cloudtrail:version=0.9.16
  filters:
- tag:CreatorName: absent
  actions:
- type: auto-tag-user
  tag: CreatorName
- type: tag
  key: backup
  value: weekly

Still getting error: I cannot get around this error even when starting from scratch

0 replies

adityagupta1982 · 2023-03-16T17:34:23Z

adityagupta1982
Mar 16, 2023

Did anyone manage to solve this issue? Searched the internet seems no one has a clear solution :(

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cloud Custodian

c7n-org cannot deploy policies in multiple account same error occurring #7458

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

Cloud Custodian

c7n-org cannot deploy policies in multiple account same error occurring #7458

misumme-pg May 27, 2022

Ask your question

Policy

Relevant log/traceback output

Replies: 2 comments

misumme-pg Jun 1, 2022 Author

adityagupta1982 Mar 16, 2023

misumme-pg
May 27, 2022

misumme-pg
Jun 1, 2022
Author

adityagupta1982
Mar 16, 2023